You are here:

Microsoft Security Bulletin Summary for October 2013

Number: AV13-036
Date: 09 October 2013

Purpose

The purpose of this advisory is to bring attention to the monthly Microsoft Security Bulletin Summary for October. The summary covers 8 bulletins (4 Critical and 4 Important), which address multiple vulnerabilities in some Microsoft products.

MS13-085 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
Details: The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update resolves two privately reported vulnerabilities in Microsoft Office.
Security Impact: Remote Code Execution
Aggregate Severity Rating: Important
Maximum Exploitability Index: 2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Office
CVE References: CVE-2013-3889, CVE-2013-3890https://technet.microsoft.com/en-us/security/bulletin/ms13-085

MS13-086 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)
Details: This security update resolves two privately reported vulnerabilities in Microsoft Office.
The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Security Impact: Remote Code Execution
Aggregate Severity Rating: Important
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Office
CVE References: CVE-2013-3891, CVE-2013-3892https://technet.microsoft.com/en-us/security/bulletin/ms13-086

MS13-087 - Vulnerability in Silverlight Could Allow Information Disclosure (2890788)
Details: The vulnerability could allow information disclosure if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. This security update resolves a privately reported vulnerability in Microsoft Silverlight.
Security Impact: Not Applicable
Aggregate Severity Rating: Important
Maximum Exploitability Index: 3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Silverlight
CVE References: CVE-2013-3896https://technet.microsoft.com/en-us/security/bulletin/ms13-087

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.